| Message ID | 20260227134617.23378-1-radim.krcmar@oss.qualcomm.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | RISC-V: KVM: fix off-by-one array access in SBI PMU | expand |
On Fri, Feb 27, 2026 at 7:20 PM Radim Krčmář <radim.krcmar@oss.qualcomm.com> wrote: > > The indexed array only has RISCV_KVM_MAX_COUNTERS elements. > The out-of-bound access could have been performed by a guest, but it > could only access another guest accessible data. > > Fixes: 8f0153ecd3bf ("RISC-V: KVM: Add skeleton support for perf") > Signed-off-by: Radim Krčmář <radim.krcmar@oss.qualcomm.com> Thanks for catching. Reviewed-by: Anup Patel <anup@brainfault.org> Queued this patch as fixes for Linux-7.0-rcX. Thanks, Anup > --- > arch/riscv/kvm/vcpu_pmu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c > index 4d8d5e9aa53d..aec6b293968b 100644 > --- a/arch/riscv/kvm/vcpu_pmu.c > +++ b/arch/riscv/kvm/vcpu_pmu.c > @@ -520,7 +520,7 @@ int kvm_riscv_vcpu_pmu_ctr_info(struct kvm_vcpu *vcpu, unsigned long cidx, > { > struct kvm_pmu *kvpmu = vcpu_to_pmu(vcpu); > > - if (cidx > RISCV_KVM_MAX_COUNTERS || cidx == 1) { > + if (cidx >= RISCV_KVM_MAX_COUNTERS || cidx == 1) { > retdata->err_val = SBI_ERR_INVALID_PARAM; > return 0; > } > -- > 2.51.2 >
Hello: This patch was applied to riscv/linux.git (for-next) by Anup Patel <anup@brainfault.org>: On Fri, 27 Feb 2026 13:46:16 +0000 you wrote: > The indexed array only has RISCV_KVM_MAX_COUNTERS elements. > The out-of-bound access could have been performed by a guest, but it > could only access another guest accessible data. > > Fixes: 8f0153ecd3bf ("RISC-V: KVM: Add skeleton support for perf") > Signed-off-by: Radim Krčmář <radim.krcmar@oss.qualcomm.com> > > [...] Here is the summary with links: - RISC-V: KVM: fix off-by-one array access in SBI PMU https://git.kernel.org/riscv/c/5c1bb0787111 You are awesome, thank you!
diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c index 4d8d5e9aa53d..aec6b293968b 100644 --- a/arch/riscv/kvm/vcpu_pmu.c +++ b/arch/riscv/kvm/vcpu_pmu.c @@ -520,7 +520,7 @@ int kvm_riscv_vcpu_pmu_ctr_info(struct kvm_vcpu *vcpu, unsigned long cidx, { struct kvm_pmu *kvpmu = vcpu_to_pmu(vcpu); - if (cidx > RISCV_KVM_MAX_COUNTERS || cidx == 1) { + if (cidx >= RISCV_KVM_MAX_COUNTERS || cidx == 1) { retdata->err_val = SBI_ERR_INVALID_PARAM; return 0; }
The indexed array only has RISCV_KVM_MAX_COUNTERS elements. The out-of-bound access could have been performed by a guest, but it could only access another guest accessible data. Fixes: 8f0153ecd3bf ("RISC-V: KVM: Add skeleton support for perf") Signed-off-by: Radim Krčmář <radim.krcmar@oss.qualcomm.com> --- arch/riscv/kvm/vcpu_pmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)